CVE-2026-8706
Description
Firefox for iOS hosted Reader mode on an unauthenticated local web server, allowing another application on the same device to request arbitrary URLs and receive the response rendered with the signed-in user's cookies. This vulnerability was fixed in Firefox for iOS 151.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Firefox for iOS's Reader mode runs an unauthenticated local web server, letting other apps on the same device fetch arbitrary URLs with the user's cookies; fixed in version 151.0.
Vulnerability
Firefox for iOS hosted Reader mode on an unauthenticated local web server. This allows another application on the same device to request arbitrary URLs and receive the response rendered with the signed-in user's cookies [1]. The vulnerability affects versions prior to Firefox for iOS 151.0 [2].
Exploitation
An attacker would need a malicious application installed on the same device as the vulnerable Firefox for iOS. No authentication is required; the local web server is unauthenticated. The attacker's app can directly request any URL through the local server, and Firefox will return the response including the user's authenticated cookies [1].
Impact
A successful attack allows the malicious application to read responses from arbitrary URLs that are rendered with the user's signed-in cookies. This leads to disclosure of sensitive user data associated with those sessions [1].
Mitigation
The vulnerability is fixed in Firefox for iOS version 151.0 [1]. Users should update to that version or later. No workaround is available for earlier versions.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <151.0
- Range: <151.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- www.mozilla.org/security/advisories/mfsa2026-49/nvdVendor Advisory
- bugzilla.mozilla.org/show_bug.cginvdPermissions Required
News mentions
0No linked articles in our index yet.